Fixed the dockerfile.security.missing-user rule #3438

- Fixed a bug where the previous version of this rule would have false positives on ``` HEALTHCHECK ... \ CMD ... ENTRYPOINT ... ``` and ``` HEALTHCHECK ... \ CMD ... ENTRYPOINT ... ``` It doesn't really make sense to flag on the CMD sub-directive of the HEALTHCHECK directive since there's very little chance that the application could be compromised via the HEALTHCHECK and then gain root access. This false positive creates a lot of noise and therefore we're addressing it. - There was a separate rule for ENTRYPOINT, which doesn't really make sense, since CMD and ENTRYPOINT can be used in the same Dockerfile, as per https://docs.docker.com/reference/dockerfile/#exec-form-entrypoint-example Therefore, the rule was removed - Fixed the bug that will create two findings for a Dockerfile like this ``` FROM busybox ENTRYPOINT ["some-command"] CMD ["--some-arg"] ``` - The autofix arguments have changed because technically it doesn't matter where in the Dockerfile the USER directive is specified, insofar as the last specified USER is non-root. Previously, the autofix would attempt to add the USER directive above the CMD or ENTRYPOINT directives. However, since either or both of these can appear, we're not going to specify the CMD or ENTRYPOINT directive in the fix. - Cleaned up some of the test files to remove invalid syntax like calling CMD twice - Fixes semgrep#3436

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixed the dockerfile.security.missing-user rule #3438

Fixed the dockerfile.security.missing-user rule #3438

Commits on Aug 1, 2024